Active Directory Certificate Services Best Practices

AD CS is composed of several role services that perform several tasks. One or more of these role services can be installed on a server as required. These role services are as follows:

  • Certification Authority— This role service installs the core CA component, which allows a server to issue, revoke, and manage certificates for clients. This role can be installed on multiple servers within the same root CA chain.
  • Certification Authority Web Enrollment— This role service handles the web-based distribution of certificates to clients. It requires Internet Information Services (IIS) to be installed on the server.
  • Online Responder— The role service responds to individual client requests regarding information about the validity of specific certificates. It is used for complex or large networks, when the network needs to handle large peaks of revocation activity, or when large certificate revocation lists (CRLs) need to be downloaded.
  • Certificate Enrollment Web Service— This new service enables users and computers to enroll for certificates remotely or from non-domain systems via HTTP.
  • Certificate Enrollment Web Policy Service— This service works with the related Certificate Enrollment Web Service but simply provides policy information rather than certificates.
  • Network Device Enrollment Service— This role service streamlines the way that network devices such as routers receive certificates.

Windows Server 2012 Step by Step
Active Directory Certificate Services Hierarchy

Public Key Infrastructure must be deployed in hierarchical order to securely deliver certificates to clients, application and servers. The best way to achieve this is to deploy a Standalone Offline Root CA and Online Enterprise Subordinate CA. Offline Root CA meaning you have to shut down the CA once you obtain the CRL chain for subordinate CA. Subordinate stays powered on and joined to the domain. Offline Root CA works in a workgroup not a domain member.

Standalone offline Root CA:


  • Principal component of PKI infrastructure
  • Provide CRL sign off capacity for subordinate authority
  • Provide Web Enrolment for Sub-ordinate Certificate Authority
  • Maintain CAPolicy.inf to record OID and certificate authority validity period

Online Enterprise Subordinate CA


  • Subordinate Component of PKI infrastructure
  • Present and issue Certificates to clients
  • Sign off Web Certificates for application
  • Management point of Certificate Infrastructure
  • Maintain CAPolicy.inf to record OID and certificate authority validity period

Certificate Services Best practices

  • Analyze and plan necessity of Active Directory Certificates or public key infrastructure (PKI) in your organization before deploying certification authorities (CAs)
  • Place database and transaction log files on separate hard drives possibly SAN
  • Keep the root certification authority offline and secure its signing key by hardware and keep it in a vault to minimize potential for key compromise
  • When changing security permissions for the certification authority (CA), always use the Certification Authority snap-in
  • Do not issue certificates to users or computers directly from the root certification authority
  • Always point client to subordinate certificate any certificates
  • Back up the CA database, the CA certificate, and the CA keys
  • Ensure that key lifetimes are long enough to avoid renewal issues
  • Review the concepts of security permissions and access control, since enterprise certification authorities issue certificates based on the security permissions of the certificate requester
  • Use Secure Sockets Layer (SSL) when using Web-based certificate enrollment

Certificate Provider

You have to select RSA#Microsoft Software Key Storage Provider” with sha1 if there is any Windows XP Client otherwise select RSA#Microsoft Software Key Storage Provider” with sha256 as certificate provider.

Cryptographic Key Length

Use 2048 bit cryptographic length for both offline Root CA and Subordinate CA.


  • Plan certificate templates before deployment
  • Only Publish templates that are necessary
  • Duplicate new templates from existing templates closest in function to the intended template
  • Do not exceed the certificate lifetime of the issuing certification authority
  • Do not delete the Certificate Publishers security group

Validity Period

  • Offline Standalone Root CA- 10 Years
  • Online Enterprise Subordinate CA- 10 Years

Revocation List

The following sections summarize how certificate revocation checking works.

  • Basic chain and certificate validation
  • Validating revocation information
  • Network retrieval and caching

Revocation Best Practice

  • Leave the default revocation checking behavior instead of using CRLs for revocation checking
  • Instead of creating long listings of URLs for OCSP and CRL retrieval, consider limiting the lists to a single OCSP and a single CRL URL
  • Use CryptoAPI 2.0 Diagnostics to Troubleshoot Revocation Settings
  • Use Group Policy to Define Revocation Behavior

Audit Policy

Select the following Audit Policy for both Certificate Authority

  • Backup and restore the CA database
  • Change CA configuration
  • Change CA security settings
  • Issue and manage certificate request
  • Revoke certificates and publish CRL

Backup Certificate Authority

  • Backup Public Key
  • Backup CA database
  • Retention: Daily increment/Monthly Full

Security Permission on Template

The following table summarize certificate security permission in AD CS.

Domain Computers Auto-Enroll Read Only
Domain Users Auto-Enroll Read Only
Wintel Administrator Full Control Full Control

Security Permission on Servers

You must create role separation in Active Directory Certificate Services to provide greater control on Certificate Authority. To enable Role separation, Open Elevated command prompt and type certutil -setreg caRoleSeparationEnabled 1. The following table describe role separation for AD CS.

CA Administrator Full Permission
Certificate Manager Issue and Manage Certificates
Auditor Manage auditing and security logLocal Security Settings/ Security Settings/Local Policies/User Rights Assignments
Backup Operator Back up file and directories

Local Security Settings/ Security Settings/Local Policies/User Rights Assignments

Enrollees Authenticated Users

The Following are the messy configurations you must avoid when installing a Certificate Authority.

  • Do not install Certificate Authority on any Domain Controller or server with other roles unless you are a small business and you have only one or two servers in your organization. In this case, you don’t have any choice.
  • Do not install both certificate authority in two different operating systems such as Windows Server 2003 and Windows Server 2008.
  • Do not keep CAs in different patch and update level.
  • Do not use 1024 bit encryption length.

Relevant Articles:

Microsoft Active Directory Best Practice Part II

Microsoft Active Directory—Best Practice

An Overview of Active Directory Certificate Services (AD CS)

Certificate services provide public key infrastructure (PKI) for organization. There are lot of benefits to have a PKI infrastructure in Active Directory infrastructure. One of the biggest advantage of deploying certificate is to identify requestor requesting information a server. This can be a web server, exchange web mail or an windows client requesting authentication from an active directory. The server holding the role of approving certificate and delivering certificate called certificate authority in short CA. Microsoft CA provides heaps of options for diverse customer to deploy certificate from security point of view, organizational structure and  also geographical location. That is certificate can be deployed in hierarchical manner. Top of Certificate hierarchy is called Enterprise root CA. There can be more than one subordinate CA depending your need. Certificate Authority can be standalone or Enterprise CA. Standalone offline Root CA can be used to provide PKI infrastructure for internal users. Standalone root CA is put offline to provide an extra layer of security to authentication. A subordinate CA placed under standalone root can work as usual. In this case, your root CA aren’t compromised. when you request a certificate from subordinate CA, you have to approve this request manually. Again this type of deployment provide extra layer of security  as you can see who’s requesting for a certificate. 

Installation of Root CA:

To install an Enterprise Root CA, build a windows server 2008 and join domain. Log on as domain admin. Add and install Web server (IIS) role in that server as pre-requisite. Once finish, add active directory certificate services role. Select Enterprise root CA while installing CA. More detailed installation guides are in these screen shots.

To install a standalone root CA, follow the similar steps with just one exception that standalone CA isn’t part of Active Directory domain. You have manually import certificate request to standalone CA server which I will explain later part of this article.

Segregating CA Management Role:

To secure CA management and delegating management authority, you can segregate roles in certificate authority. There five roles available to manage CA. They are CA Administrator, CA Manager, CA Auditor, Backup operator and enrollees. To assign these roles, you need to log on CA as an administrator and open CA Management Console. Right mouse click on CA server name>Click on property. Go to security Tab and add specific groups to this windows and assign desired roles. The following screen shots are illustrate these options.



https or secure Certificate Enrollment using :

before you can enroll certificate, install an SSL certificate for CA itself and provide an FQDN for users and computer to request certificates.

Open IIS management console in CA authority Server. Click on CA server>Click on Create a Domain certificate on right hand side Action pan. 





Click Finish to complete request.

Click on Sites>click Bindings


Click Add>Select SSL>Select IP & Port 443


Select Certificate you just created.

Now Create a CNAME in DNS server such as

Open IE browser to test SSL certificate request.


Managing Templates:

There are default certificate templates in CA. The templates are stored in Active Directory for use by every CA in the forest. When deploying certificates duplicate a template (by right click on certificate template>Manage) similar to your purpose, name the template, setup certificate period, publish in Active Directory, setup security on the security tab. Now right click on certificate template>Click New>Click on Certificate Template to Issue. You must select appropriate group in the security tab of certificate property to safeguard this certificate from different group of users. 

Installation of Subordinate CA:

Prepare a Windows Server 2008. Depending on your deployment topology, Open Server Manager, click Add Roles, click Next,and click Active Directory Certificate Services. Click Next two times. Now select following in the next steps.

Setup Type: Standalone or Enterprise

CA Type: Subordinate

Private key: Create a New Private Key


On the Request a certificate step, you have have two options. If your Enterprise root CA is part of domain, you can request a subordinate CA automatically or manually. However if your enterprise root CA is standalone or subordinate CA is standalone then you have generate a request for certificate and submit this request to root CA. In this article, I am requesting certificate manually because you can perform automated request.


Click Next and Finish installation.


Open Requested Certificate and copy entire content in the notepad. Open IE browser and browse Root CA cert enroll page such as


Click on Request a certificate, Click on Advanced certificate request.


Click on submit a certificate request..


Paste the certificate request on Base 64 encoded box and select subordinate CA. Click submit.


Now download requested certificate and save it on subordinate CA.



Log on to subordinate CA and open CA management console>Click All Tasks>Click Start CA. You will be prompted to import subordinate certificate from root CA. Browse the location of certificate you exported/saved in previous steps and select certificate. Your subordinate CA will start now.


Start Menu>run>Services.msc>Check Active Directory Certificate Services set to automatic. Now Manage and secure CA as mentioned in this article.

If your root CA is standalone than you can take your root CA offline now. Open Event Viewer by simply, typing eventvwr.exe on Start menu>run. Check AD CS is functioning properly.


To setup auditing in AD CS, right click on AD CS server>property>Auditing Tab>Select preferred Auditing for CA Server.


To restrict an enrollment agent in CA, Open CA Console>Right Click on subordinate CA Server>Property>Click on Enrollment Agent Tab Click on restrict Enrollment Agent. here you can add groups or users that are allowed to request certificate on behalf of another client and remove everyone. similarly you can disallow everybody to request an agent enrollment. Note that Enrollment agent can only request certificate but can not approve or revoke certificate.


To setup pending request in CA, log on to CA and open CA console. Right mouse click on CA server>Click property>Click Policy Module>Click Properties>Click Set certificate request status to pending.



Restart AD CS services.

Requesting Certificate from standalone CA:

Create a text file and rename this file such as newrequest.inf and copy and paste inside the file following contents


Signature=”$Windows NT$
Subject = “CN=<DC fqdn>” ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
OID= ; this is for Server Authentication





Subject=”CN=<FQDN of computer you are creating the certificate, for example, the gateway server or management server.>”










Here, CN= FQDN of server where requested certificate will be installed.

Now type following command, and then press ENTER:

CertReq –New –f  NewRequest.inf NewCert.req

To submit new request type the following command, and then press ENTER:

certreq -submit -config “FQDN of the YourCAYour CA Name” certnew.req certnew.cer

Now approve the certificate from CA management console and retrieve certificate using following command

certreq -retrieve RequestID certnew.cer

type the following command to accept certificate, and then press ENTER:

certreq -accept newcert.cer

Removing Certificate Authority: Log on to the system as the user who installed the certification authority. Server Manager>Roles>Remove Roles>Select AD CS and Remove CA. Restart Decommissioned CA Server. To Remove remaining information about this CA from Active Directory, type following from elevated command prompt

certutil.exe -dsdel CAName and press ENTER

Dealing with Event ID 100, 7024, 48 :

Issue new certificate revocation list by issuing certutil.exe –crl command from elivated command prompt.

Type certutil.exe -setreg CALogLevel 2  and press enter to change log level registry.

Disable revocation list checkup type following from command prompt and press enter.


Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide


Step1: Prepare AAA Environment

  • Windows Server 2008 SP2 or Windows Server 2008 R2
  • Active Directory Domain Services
  • Active Directory Certificate Services
  • DHCP
  • Radius i.e. NPS must be a member of domain
  • Computer certificate installed in Radius Server
  • Windows 7, Windows XP or Mac OSX 10.5.8 Client
  • Cisco Wireless Access Point

Step2: Installation

Start menu>Administrative Tools>Server manager>Roles>Add Roles

 1 2 3 4 5 6 7 8 9

Step3: Setup Clients

Administrative Tools>Network Policy Server>Radius Client>Right Click>New Radius Client

 10 11

Radius Secret mentioned here must be same in Cisco Wireless Access Point. You must verify connection by clicking verify.

Step4: Setup Policy

Network Policy Server>Policies>network Policies>Right Click>New

  13 14

This is highly important part of entire config. Based on your need, you have to choose desire config type among all.

VPN Tunnel Type:L2TP

NASPort Type: VPN or Wireless

EAP Type: EAP-TLS, MSChap v2 or PEAP

AD Group: Wireless User Group or VPN User Group

15 16 17 18 19 20

Here, you can choose one or both depending on your infrastructure. I have shown both VPN and Wireless Client.

 21 22 23 24

Here, I am showing both EAP type for this article. But you have to choose only one again depending on your infrastructure.

25 26 27 28

Smart card or Certificate is the best option. For Windows 7 and XP, only certificates will work smooth as silk. However, if you have Macintosh Client then you have choose Certificate and PEAP.

 29 30

If you want VPN client to authenticate via Radius i.e. NPS then select Tunnel type.

31 32 33 34 35 36 37 38 39

Here, I explained  standard Radius config. I would recommend following for two different situations:

  • L2TP, Certificate and EAP for VPN Client
  • Certificate, PEAP and MSChap v2 for Wireless Client.

You can have more then one policy in NPS. A single server can be used to authenticate both VPN and Wireless Client. For some weird reason, my Macintosh client did not work with only user and machine certificate. Apple support advised me to use user cert and Radius shared secret instead. But for Windows 7 and XP client, certificates and EAP will work smooth as silk.

Further Help:

Microsoft Technet 

Keywords: L2TP, Radius, NPS, Windows Server 2008, Certificates

Install and configure Microsoft Active Directory Certificate Services (AD CS) using Windows Server 2008 R2

Microsoft Active Directory Certificate Services (AD CS) in the Windows Server 2008 provides customizable services for creating and managing public key (PKI) certificates. You can use AD CS to enhance and implement security by binding the identity of a person, device, computers or services to a corresponding private key. AD CS also includes features that allow you to manage certificates enrolment and revocation if necessary. Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.

Standard hardware works for windows 2008 AD CS server. Depending on individual needs and capacity of spending, you may virtualise or use separate AD CS server. If you have more then one domain controller, you can configure one of them as CS server. It doesn’t hurt anybody. AD CS requires Windows Server 2008/2003 and Active Directory 2008/2003 Domain Services (AD DS). Here, I am going to talk about Windows 2008 AD CS. Although AD CS can be deployed on a single server, many deployments will involve multiple servers configured as CAs, other servers configured as Online Responders, and others serving as Web enrollment portals.  Creating an optimal design will require careful planning and testing before you deploy AD CS in a production environment. Microsoft Windows XP, Windows 7 and Apple Mac OSX 10.5.x (Key Chain) can request and enrol in Microsoft Enterprise certificates.


Features in AD CS

By using Administrative Tool>Server Manager in windows server 2008, you can set up the following components of AD CS:

Certification authorities (CA) Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.

Web Enrollment Web enrolment (http://servername/certsrv) allows users to connect to a CA by means of a Web browser in order to request certificates.

Online Responder. The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.

Network Device Enrollment Service. The Network Device Enrollment Service allows routers and other network devices that do not have domain accounts to obtain certificates.


What’s new in Windows Server 2008 AD CS:

Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis.

Integrated Simple Certificate Enrollment Protocol (SCEP) enrollment services for issuing certificates to network devices such as routers.

Scalable, high-speed revocation status response services combining both CRLs and integrated Online Responder services.


Fresh Installation of Windows 2008 AD CS

 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24


Upgrading or Migrating Active Directory Certificate Services

Individual will have different situation while upgrading or migrating certificate services to existing server or new server respectively. But there are common tasks involve during this process. they are:

  • CA backup
  • CA configuration backup
  • Uninstall services
  • Install CA
  • CA restore
  • Active Directory cleanup (If you change host name)upgrading Active Directory CS in existing server. Steps required:
  • Version/Edition upgrade
  • Upgrade templates in Active Directory Domain Services (perform this operation if you are upgrading from 2008 standard to 2008 enterprise otherwise not)DC+CA situation. If you intend to demote your domain controller, however existing Certificate Authority is installed in DC. you want to move CA in separate domain member. Steps required:
  • CA backup
  • CA configuration backup
  • Uninstall services
  • Demote domain controller
  • Install CA
  • CA restorePerforming a CA BackupTo use the Certification Authority snap-in to create a backup of the CA database and, optionally, the CA certificate and private key
  • Choose a backup location and attach media, if necessary.
  • Log on with local administrative credentials to the CA computer.
  • Open the Certification Authority snap-in.
  • Right-click the node with the CA name, point to All Tasks, and then click Back Up CA.
  • On the Welcome page of the CA Backup wizard, click Next.
  • On the Items to Back Up page, select the Private key and CA certificate and Certificate database and certificate database log check boxes, enter the backup location, and then click Next.
  • On the Select a Password page, enter a password to protect the CA private key, and click Next.
  • On the Completing the Backup Wizard page, click Finish.
    Exporting Registry Configuration
  • Click Start, point to Run, and type regedit to open the Registry Editor.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc, right-click Configuration, and then click Export.
  • Enter a location and file name, and then click Save. This creates a .reg file with the registry configuration information for your CA.Migrating CA to a Windows  2008 Server
  • Log on with local or enterprise administrator permissions to the CA computer.
  • Click Start, click Run, type servermanager.msc, and then press ENTER to open Server Manager.
  • In the console tree, click Roles.
  • On the Action menu, click Add Roles.
  • If the Before you Begin wizard appears, click Next.
  • In the list of available server roles, select the Active Directory Certificate Services check box, and click Next twice.
  • Make sure that Certification Authority is selected, and click Next.
  • Choose if you are migrating to an enterprise or stand-alone CA, and click Next.
  • Specify either Root or Subordinate CA, depending on the source CA, and click Next.
  • At this stage, you have a choice between creating a new private key or using an existing private key. Use the second option for a migration.
    • To create a new CA certificate and key, select Create a new private key.
    • For a migration, on the Set Up Private Key page, select Use existing private key.
    • Migrate
  • Click Select a certificate and use its associated private key, and click Next.
  • If the CA certificate has been installed on the computer, it will be listed in the Certificates box. Otherwise, click Import to import a certificate from the .pfx file created by exporting the CA certificate and private key from the source CA.
  • Click Browse, and locate and select the file containing the certificate and private key exported from the source CA.
  • Enter the password you selected when exporting the CA certificate and key from the source CA, and click OK.
  • Complete the rest of the installation wizard to finish installing AD CS.
  • Click Yes to accept the warning to overwrite AD DS. (This appears only if you are installing an enterprise CA.)
  • If the CA is installed on a workgroup computer or an existing private key was reused, optionally set the distinguished name suffix, and click Next.
  • If the CA is a new root CA, set the validity period for the certificate generated on the CA, and click Next. Otherwise, skip this step.
  • If required, configure the database location paths, and click Next.
  • If you are installing a subordinate CA, select whether to save the certificate request or submit it directly to the CA, and click Next.
  • To install AD CS, click Install.
    Restoring the CA Database

    To import the CA database from the source CA to the target CA by using the Certification Authority snap-in

  • Log on with administrative credentials to the target CA computer.
  • Open the Certification Authority snap-in.
  • Right-click the node with the CA name, point to All Tasks, and then click Restore CA. Click OK to confirm stopping the CA service.
  • In the CA Restore wizard, on the Welcome page, click Next.
  • On the Items to Restore page, select Certificate database and certificate database log. Click Browse, and navigate to the location of the Database folder that contains the CA database export files created when you previously exported the CA database.
  • Enter the password you used to export the CA database from the source CA, if a password is requested.
  • Click Finish, and then click Yes to confirm restarting the CA.
  • To import the registry settings from the .reg file to the target CA
  • On the target CA, use the Certification Authority snap-in to stop the CA service.
  • Double-click the .reg file previously edited to open the Registry Editor.
  • Confirm that the registry keys were imported, and close the Registry Editor.
  • Restart the CA.
  • Use the Registry Editor to verify any settings that were changed or edited in the .reg file in the previous steps
  • Additionally, use the Certification Authority snap-in to verify the following settings. Right-click the node with the CA name, and click Properties.
  • Managing AD CS

    AD CS role services are managed by using Microsoft Management Console (MMC) snap-ins.

    · To manage a CA, use the Certification Authority snap-in. To open Certification Authority, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certification Authority, click Add, click OK, and then double-click Certification Authority.

    · To manage certificates, use the Certificates snap-in. To open Certificates, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certificates, click Add, click OK, and then double-click Certificates.

    · To manage certificate templates, use the Certificate Templates snap-in. To open Certificate Templates, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certificate Templates, click Add, click OK, and then double-click Certificate Templates.

    · To manage an Online Responder, use the Online Responder snap-in. To open Online Responder, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Online Responder, click Add, click OK, and then double-click Online Responder.

    Certificate Services Command References

    To run all these you must log on to CA as administrator and open command prompt

    Backup Cert database certutil –backupdbBackupDirectory

    backup private key certutil -f –backupkeyBackupDirectory

    determine the CSP and hash algorithm certutil -getreg ca\csp\*

    Query the list of serial numbers of all certificates that have an archived key associated with them.

    certutil -view -restrict “KeyRecoveryHashes>0” -outSerialNumber | findstr /C:”SerialNumber: ” >sn.txt

    To convert the binary large object files created in the step above into .pfx files

    for %i in (*.bin) do certutil -p YourPassword -recoverkey %i %i.pfx

    Disable web enrolment after uninstalling cert srv

    certutil -vroot delete

    Shutdown CA    certutil –shutdown

    Find Database location certutil -databaselocations

    restore db certutil –F –restoredbBackupDirectory

    Assign templete certutil –setcatemplates +templatelist

    enable the use of version 2 and version 3 certificates on an upgraded enterprise CA

    certutil -setreg ca\setupstatus +512

    net stop certsvc

    net start certsvc

    Resetting the CRL Publishing Period

    certutil –delreg CA\CRLNextPublish

    certutil –delreg CA\CRLDeltaNextPublish

    restore encryption keys

    certutil –setreg ca\KRAFlags +KRAF_ENABLEFOREIGN

    Certificate database and log file location

    %WINDIR%\system32\certlog and %WINDIR%\system32\certsrv


    Microsoft Public Key Infrastructure

    Microsoft Certificate Services

    Windows Server® 2008 PKI and Certificate Security

    How to: auto enrolment in MS certificate server

    Start menu>run>mmc.exe>ok

    File>Add/Remove Snap in>Add>Certificate Authority

    Right click on certificate templates>Manage

    right Click Computer>Duplicate Template>Type “Machine Cert” on Name

    Right Click on Machine Cert>Properties

    Click on on Security Tab>Add domain group>Select added domain group>Check Read and Auto Enrol

    All done.